EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
As the energy transition unfolds, metals and mining companies are modernizing to stay ahead of change. But will this increased adoption of technology entice cyber criminals looking to cash in on their progress?
In brief
- The metals and mining industry is transforming to take its rightful place as an important contributor to the clean economy of the future.
- IT and operational technology (OT) convergence, integration and proactive cyber planning will be critical to minimizing shutdowns, safety concerns and reputational risk, protecting data and intellectual property and curtailing financial loss.
- As cyber criminals monetize data and influence business dynamics in a geopolitically charged landscape, collaboration will be key to locking down cybersecurity plans and protocols and building the resilience needed to react quickly and circumvent increased threat activity.
This article is authored by Juan Valbuena, EY Americas Metals & Mining Cybersecurity Leader.
With expectations of rising to the occasion and being part of the burgeoning clean economy, today’s metals and mining companies are facing a significant dilemma. The impetus for change is clear — businesses need to update, modernize and evolve if they are to secure their rightful place in the future.
But despite the benefits, determining how to proceed and transitioning to automation, artificial intelligence (AI), internet of things (IoT) and cloud technologies are not the biggest challenges that many metals and mining businesses are facing.
New technologies are the cost of admission for miners with their eyes to the future. But while tech offers efficiencies and safety benefits, promises cost-cutting and profitability, and reduces organizations’ carbon footprint for longer-term sustainability and competitiveness, it can also put them at risk of cyber breaches that can bring operations to a standstill.
Cybersecurity should be top of mind. In relative terms, the industry has come slowly to the transition table but is making steady progress in adopting and implementing operational technologies. The complexity of change, scale and distance across which it must be implemented are costly and often daunting. Culture and skills gaps in getting teams accustomed to new ways of working create internal friction, and regulatory and stakeholder requirements add further pressure.
But as the sector automates, transitions to the cloud and increasingly relies on operational data, its attack surface grows. This leaves those with inadequate or immature cyber programs exposed and vulnerable.
Threat actors are taking notice. Cyber incidents in mining are on the rise. The Mining and Metals Information Sharing Analysis Centre (MM-ISAC) in Canada have tracked 11 cybersecurity incidents in 2023, twice as many as the previous year.1
And with Fourth Industrial Revolution upon us, and one in four detected cyber attacks having targeted manufacturers in 2023, the metals and mining sector can be expected to top cybercriminal hit lists, with the industry deemed the most susceptible to attack this past year.2
From the Stuxnet virus that reportedly destroyed uranium-producing technologies in Iran more than two decades ago to last year’s ransomware attack that shuttered operations of a Canadian copper company and another from Germany, there are examples across the globe.
And while those with smaller attack surfaces will be easier to protect, as metals and mining continues to adopt technologies and rely on susceptible supply chain partners in a geopolitically driven environment, no organization is impervious.
So, what do metals and mining businesses need to do to advance their forward momentum, while reducing the potential for threats today and into the future?
The burning platform
Becoming more technologically sophisticated demands that evolving businesses more deeply understand their exposure and proactively determine and plan to reflect their risk appetite. Governance and a solid risk management framework can help map an organization’s telemetry, put the right processes in place and prepare teams on the ground with the necessary protocols to properly respond to incidents with urgency and agility.
Often, an organization’s internal lack of understanding of the true and broad impacts of cyber threats is a primary barrier to action. Leadership knows, for example, that a compromise can shut down production, so they can put essential contingencies in place to address them. But what if a cyber attack manipulates readings so monitoring systems don’t recognize a compromise? Or more seriously, what if hacked health and safety controls risk not only production, but human life?
Building a cyber stronghold that can effectively anticipate and act on such issues requires on- and offsite connection and aligned synergies, priorities and oversight — from the top of an organization down. The EY Top 10 business risks and opportunities for mining and metals 2024 report indicates that risks to infrastructure, intellectual property, finances, reputation and supply chain, and potential physical and employee dangers, top the list of cybersecurity-related concerns on executives’ minds. This is proof that cybersecurity is no longer simply a technology issue. If risks are to be mitigated as disruption continues, the C-suite — Chief Executive Officer (CEO), Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Information Officer (CIO), Chief Information Security Officer (CISO), Risk Management and Operations must all march in lockstep.
Bringing all stakeholders into the conversation means cyber teams must collaborate and work alongside metals and mining personnel to identify critical service applications. Communicating openly — with full visibility and disclosure of risk management activities and the holistic impacts they have on production and safety, brand and reputation — can also help advance cyber culture, build resilience and boost preparedness to lessen the impact of the “human factor” across the business.
Setting the table
While not without its challenges, bringing leadership, tech and operational teams into the conversation is essential to defining risk profile and building a holistic cybersecurity plan. Our EY teams help organizations facilitate such discussions by conducting capability and risk assessments, defining and implementing cyber risk mitigation strategies and even simulating cyber attacks to make it real for impacted parties and better identify dangerous gaps.
Our teams bring global skills, providing critical continuity across even the most complicated cyber response plan and proactively anticipating challenges, whether assessing a client’s current governance and environment or setting up strike teams, facilitating conversations or addressing policies.
Our global network with metals and mining businesses around the world means we can readily connect with different sites wherever their operations may be. EY wavespaceTM centers of excellence for digital capabilities create opportunities to collaborate across virtual boardrooms and physical borders, making room for all voices to be heard and unique perspectives to be brought to the table.
Pop-up and mobile capabilities allow us to set up at metals and mining sites or offices, incorporating onsite teams to deliver faster and secure bespoke solutions. And through our global network of wavespace environments, EY teams can facilitate client teams in exploring and testing ideas in real time, conducting demos, data lab incubation and workshops, with access to specific skills and proprietary technologies.
High-level learnings from our labs and EY Americas Metals and Mining Center of Excellence provide guidance and innovation-led approaches to risk scenarios that many metals and mining companies are facing today — or might be tomorrow. Our multidisciplinary teams provide specialized operations capabilities and advanced knowledge of innovative technologies that can help interpret and put action plans into place to optimize data-driven diagnostics, help deliver on health and safety objectives, and safeguard a business’s digital transformation.
Starting with good risk management practices, our Cybersecurity practice takes a holistic approach by assessing operational technology and critical assets risks, including potential supply chain exposure to embed strong visibility across the business. Dovetailing each of these components with an organization’s risk appetite, controls and governance, we can help establish a tailored framework that continuously identifies gaps, reduces vulnerabilities and builds cyber resilience in a well-established and risk-aware culture.
Regardless of where your organization is on this cybersecurity journey, whether you’re just beginning to digitalize operations or even if you’ve already been infiltrated by threat actors, we can help prepare you to respond to and withstand an attack and mitigate potential losses.
Reach out to a member of our team to start the conversation. We’d be happy to share our experiences and help inform your decision-making, set up a visit with our lab or run a simulation that can pinpoint vulnerabilities, guide your cybersecurity strategies, define detailed procedures and playbooks, and prioritize your plans.
Summary
The digital revolution has left no industry untouched. As the pace of change accelerates and operational and security technologies evolve, cyber threats will not simply be the responsibility of the CISO or CIO, but a business problem co-owned by every team across the business. With potential cyber-related regulation on the horizon, organizations with cybersecurity integrated into their crisis management plan will be able to proactively rise above the next threat, with confidence that their infrastructure, technological investments and people are safeguarded, and they have the necessary protocols in place company-wide to act swiftly and surely and mitigate against costly breaches and potential downtime.
Related insights
Top 10 risks and opportunities for mining and metals companies in 2025
An EY survey of mining companies shows transformation is critical, requiring innovation, collaboration and agility to reshape the future with confidence.
How mining and metals companies can navigate ESG tax and regulatory challenges
Learn how mining will play a pivotal role in the energy transition. In this webcast, panelists from across the Americas will discuss the tax landscape.
How gold miners can build long-term competitiveness
Gold miners are capitalizing on higher prices to grow their portfolios and prioritizing ESG as gold gains popularity as an investment asset. Read how.
